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Letter from the Editor 


Hello again! 


Surprised to see us so soon? So am I! Internally this issue has been called “NDE5” 
but, of course, publicly we're calling it Issue 1 of Volume 2. This is an important 
distinction and speaks to why | wanted to do a preview issue for DEFCON. 


* Our release schedule is built around our conference schedule: It’s difficult 
finding the balance between reporting TO a convention and reporting ON 
a convention, as far as timely release dates are concerned. Do we want our 
DEFCON issue to be released at DEFCON or afterwards in order to review it? 
Well, with this handy-dandy preview issue, we get to do both. 


DEFCON was our first dance: We released issue 1 at DEFCON (late - and the 
printed copies didn’t arrive in time either!) and as awkward and scattered 
as we were in that first offering, the DC crowd accepted us with open arms 
and helped us kick off an incredible year. So, premiering the first issue of 
Vol. 2 this year at DEFCON is important to me. It’s a mix of respect for our 
first venue and a desire to show off our hot new look to the cool kids who 
invited us to the after party last year...OK, | think the dance metaphor is 
falling apart here. 


* The RKS: As part of DEFCON this year I’m giving a talk titled “How to make 
friends and influence lock manufacturers” about some of the work I've been 
privy to via NDE over the past year. A big part of my talk is the RoboKey 
System and it just made sense to have that feature out in the public eye in 
the lead-up to the talk. 


| like to torment my staff: | don't, really, and we went back and forth on 
rushing to put something out the door and giving our sources enough time 
to write meaningful articles. As such, the Drumm Shield article isn’t here 

in the preview. In fact, it likely won't be in NDE until our October Dutch 
Open issue. We like to tell the stories of people involved in this hobby, 
profession and industry. We could blow you away with technical informa- 
tion on the Geminy tomorrow, but we couldn't tell the best story about 
the people involved in making it without taking some more time to talk to 
them. | hope our standard of storytelling is interesting to all of you, in fact, 
I’m counting on it. We're shuffling articles between issues 1 & 2 of Vol. 2 in 
order to bring you the best articles we can. And the staff are working like 
crazy to make it happen. They are really good guys. 


So, that’s what is going on. Oh! And the back page! Oh man, the back page is 
fantastic. Our Managing Editor, Mike Brewerton, has shared NDE with his family 
anytime he has worked on it. His lovely wife has reviewed his articles and now 
his daughter has contributed an article. It’s timely, too: anyone competing this 
weekend keep her encouraging words in mind! That’s it. Enjoy the mag! 


SCHUYLER TOWNE 
EXECUTIVE EDITOR 
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Coming Up In NDE: 


1. Kwikset Smartkey: 
We talk to Walt 
Strader about the 
development of the 
Smartkey system 
and what they 
changed for the 
second generation. 


2. Another “Pick-a- 
lock-with” article 
featuring a friend 
of the magazine. 
This is always one 


of my favorites. 


3. Also: all of the 
articles here in 
the preview, of 
course! 


4. Building a lego- 
lock. A personal 
project of mine, 

| bought 5 Lbs. of 
legos on ebay a 
few weeks ago and 
set to work. 


5. Vol. 2 Issue 2 
previews! Everyone 
loves the previews. 
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Pickers Prepare! DEFCON 
Hosts American Open 


his year’s lockpicking contest at DEFCON is being brought to an entirely new level. Dubbed the 
Tamerica Open” by the TOOOL US sport group it covers several different events. The classics are 

back: Speed and Points competitions will still be standard. However, this year’s main event, the only 
Black Badge event in Lockpicking, is called the “Gringo Warrior” and promises to be a treat for spectators 


and competitors alike. LI is bringing an “Obstacle Course” competition and last year’s “Field Stripping” 
competition returns as well. Here are the descriptions of each event: 


POINTS COMPETITION 


Running all weekend long in the Lock Picking Village (LPV) this event is all about patience and persistance. 
Locks of all difficulty levels, from standard pin tumbler locks with a few stacks removed, all the way up to 
some of the highest security cylinders will be on offer for anyone to try their hand at picking. Each lock is 
assigned a point value based on difficulty. Judges work the room all weekend and anytime a lock is opened 
the pickers will line up to show it off and recieve their points. This competition is great for new pickers 
and advanced pickers alike. Rarely with you have access to this range of locks, tools and experience. 


SPEED COMPETITION 


Big changes to the speed competition this year. This event is what made up the bulk of the previous LPCon 
and has always been popular with attendees. This year TOOOL US take the reigns and are updating the format 
to a point-based head-to-head competition. Each picker will square off against another, be given 2 locks, 

and a set time to open their lock in. Once that time has passed, they swap locks and do it again. Whichever 
picker has the lowest cumulative time, or, in the event that a lock remains unopened, the picker who opens 
the most locks, recieves a point for that round. The next round people who recieved a point will be paired 
and those who didn't paired and the process repeats until a small field is left for a round-robin style final. 


LOCK FIELD STRIPPING 


This was an impromptu addition to last year’s program. In it’s second year the field stripping competition 
proves to be more accessible and more difficult at the same time. Participants are brought through several 
rounds of lock maintainance. Last year this proved to be the first time many of the competitors saw the 
inside of a lock and hopefully this year will be no different. 


In the initial open round, makeshift plug followers, cardboard pinning trays and a standardized 5 or 6 pin 
lock are given out. The goal is to disassemble the lock, lay all of the pieces out for a judge to see and then 
reassemble it. If the original key works and you were in the faster half of the group, you advance, if the 
key doesn’t work or you were too slow. You're eliminated! This year will feature re-keying as well, and in 
the final rounds a high security cylinder yet to be revealed. 
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| OBSTACLE COURSE _ 


The obstacle course was run at DEFCON a few years ago and had made appearances at various cons. This 
year Locksport International have taken up the charge to provide one of the most challenging conests we'll 
see this year. In the obstacle course you are pitted against a wide range of locks that will require you to 
dig deep in the pickset work across every technique you know. 


_GRINGO WARRIOR 


A competition built as much for the pickers as for the on-lookers. Something has gone terribly wrong and 
you find yourself the captive of a malicious assailant. Handcuffed and locked in a cell you have to fight to 
free yourself, disable the guard, recover your passport, and get out of the building safely. Unfortunately for 
you, there is only a 5 minute window to freedom! Act fast and get away clean! This event has been recently 
featured at Schmoocon, Toorcon and Layerone. The fastest competitor wins the day and the Black Badge. 


NDE wishes all of the competitors luck at this year’s American Open. Expect to see a couple of us picking 
right alongside you. 


THE ROBOKEY SYSTEM IS AN INTERESTING NEW 
LOCKING CONCEPT THAT GREW UP RIGHT ALONG- 
SIDE THE LOCKSPORT COMMUNITY. 


eric schmiedl photography 
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The RoboKey System 


hen Bob Loughlin noticed an interesting cutaway lock on 
Wi: he had no idea what he was getting into. It was an 

Anchor Las padlock being sold by Han Fey. As both men 
were avid lock collectors they quickly established a friendship from 
that early connection. They continued to keep in touch. Fast forward 
to September 2005 and Bob was headed to Holland to spend a few 
days in Amsterdam with friends. He invited Han to come up and visit, 
but Han was 100 kilometers away and said he simply didn’t have the 
time. 


The day Bob and his wife arrived at their hotel they were exhausted, 
jet lagged and happy to unload their luggage and relax for a bit. Then 
the phone rang. 


“1am here” - it was Han on the other end. 


The three of them went out to lunch and Han offered to show them 
around Amsterdam. Up to this point, everything was very energetic, 
but fairly normal. Then Han invited Bob out to a TOOOL meeting that 
evening. | think this would be a good time to pause and note that 
Bob, while fit as a fiddle, is 80 years old and his doctor would likely 
have warned against the events to follow. 


Bob and Han were off to a sports center where TOOOL regularly 
reserves a room for their club nights. They traveled by cab through 
the night until Han asked the driver to stop. They exited quite a 
distance from the complex and found themselves confronted by a 
vast, fenced off, trolley yard between them and their destination. It 
was filled with rubble and in the distance Bob could just make out 
the crest of an eerily lit black dome. The first fence, standing before 
the men, was six feet high. 


“It was not like this the last time | was here.” Han quipped before 
stalking along, crouched, staring at the bottom of the fence. Aha! He 
found a bit of the fence loose and exposed where a curb ran under 

it. He pulled it up and motioned for Bob to crawl under. Bob, being 

a good sport, got down and tried to shimmy as best he could under 
the chain link. Han, being a good friend, gave Bob a little help via a 
boot to the butt. With a fwoomph Bob slid through and Han followed 
sprightly behind. They navigated the trolley yard, climbing over and 
around mounds of earth, industrial equipment and any number of 
dark, unseen hazards. 


At this point Bob realized what he was doing. “What am | going to 
tell the cops?” he thought. Then they arrived at the second fence. 
This one was over seven feet tall and before Bob had time to take it 


SCH UYLER TOWNE 


THE INSPIRATION 


John Loughlin, a mechanical 
engineer, joined his father who 
had a background in locks, & had 
formed Stanton Concepts several 
years ealier with John’s brother 
Tom. They saw many areas which 
had gone long overlooked under 
new scrutiny & an opportunity 
to address security concerns 
which had been suffering for 
attention. Their first target was 
shipping containers, & the 
inspiration for the RKS. The question 
was “How do you secure a con- 
tainer that has to change hands 
multiple times with multiple 
authorized parties who need to 
inspect the contents?” Also, 
how to help it survive the 
environmental conditions it 
would suffer on cargo ships, 
docks, & in shipping yards. The 
answer was the RKS. Having the 
low-tech, closed-face physical 
lock separate from the high-tech 
dialer allows the RKS to survive 
extremes in weather & temperature 
much better than an electronic 
locking solution could. The dialer 
itself will allow any authorized 
user access without having 

to ship keys or combinations 
around the world and could 
maintain a clear audit trail of 
where and when the container 
was accessed. While the RKS may 
find a home in any number of 
high-security applications, its 
intended purpose was to be out 
on the open ocean. 
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in, Han had found a foothold in the dark and slung himself 


over the top of the fence and down onto a dumpster just to the "It was hot like 


right of Bob. He motioned Bob over, and with less trepidation 

and far more trust than this frenetic Dutchman probably 7 7 
deserved at that point in their friendship, Bob stuck his foot this the last time 
out into the dark as Han had done, found purchase, and 


vaulted himself over the fence and onto the dumpster. He | was here!" 


had made it. Then he noticed the security guard. 


Between them and the entrance to the building was a guard house with a slow trickle of people arriving 
and passing through it to use the facility for one sport or another. At that moment, however, the guard 
wasn’t focused on them. Han was quick to act, and as the guard saw them and moved to confront them, 
Han walked right in the front past him. The guard shouted “That's not the way to get in!” to which Han 
replied “Oh?” and just kept moving. Bob obediently followed behind, and the flustered guard offered no 
further opposition. 


Bob had the innovative new cylinder in his pocket throughout this ordeal and when he handed it over to 
the club group that night they lavished it with attention. Barry taught Bob how to pick and he managed to 
open his first lock that night. As far as Bob was concerned he had just made it through a hell of a hazing, 
and won! 


John Loughlin, Bob’s son and co-inventor of the RKS, was then invited out to the 2006 Dutch Open where a 
roomful of some of the best lockpickers on the planet brainstormed potential attacks. In the waning minutes 
of the convention as people were walking out the door, an ambitious picker grabbed a palm sander and 
placed it against the face of the lock. Not much happened, but there was a very slight movement, a light 
spin beginning on the discs of the lock. Now, would that attack have ever worked in practice? Doubtful, 
extremely doubtful in fact, but that will be apparent when we describe the mechanism. However, despite 
the attack being low risk, the fix for it was relatively inexpensive and unobtrusive, so they incorporated it. 
Now, | know that doesn’t sound incredible on the surface, but if you have been in the hobby or industry for 
any reasonable amount of time, you know how rare it is to find spool pins in the locks you buy at home 
improvement stores. For lack of a standardized double-ball mechanism Master Lock padlocks are easily 
shimmable (some do have the double ball mechanism, but not most). So, the fact that this inventor would 
upgrade his product, for an unverified and unlikely attack, simply because it would improve the security of 
the lock, is absolutely inspiring. 


HOW THE LOCK WORKS: 


At first glance the RKS looks like a disc detainer lock, but aside from the form factor and the general 
appearance, it is nothing like one. The basic operation is that of a safe lock with 6 wheels. Each disc has a 
fly on either side of it, just like a wheel on a safe, so that when you rotate one disc, it catches the next and 
begins to turn it, catching the next disc and the next, until, just by controlling the first disc in the series, 
you are controlling all of the discs in turn. Then, you leave the last one behind and begin to rotate in the 
opposite direction. We've all used a school locker or combination lock at the gym. You know the process: 
turn the dial X number of times in one direction until you get to your first number, and then turn it in the 
opposite direction to get to the second, and then reverse directions again. Now, with your school padlock 
you would arrive at last number and pop, your locker opened up. With the RKS you are setting 6 individual 
wheels. A Master Lock combination lock is only a good comparison to explain the basic mechanism, after 
that the analogy quickly breaks down. 


First, with a combination lock you have access to the scale of the numbers and a means to operate them, 
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but the RKS offers no convenient purchase for manipulation and the dialer is a separate mechanism 
altogether. In order to manipulate the lock you would either need access to a manual dialer for the 
specific “keyway*” of the lock you were attacking, or to build one. Assuming you can accomplish this, you 
then have the discs themselves to deal with. The conventional dialer offers a nice “click” as you pass over 
each number. While this is very handy for entering the combination, if you are trying to derive that code 
via manipulation the constant audible and tactile clicking will interfere with any feedback you would get 
from the wheels. In addition to this, each wheel has false gates carved into them to inhibit feedback and 
balance the weight of the discs against a vibration attack as previously described. 


The lock is also quite versatile. The flies between 
wheels are movable and each wheel has 8 
possible positions for the flies. This makes 
rekeying the lock extremely easy. Simply move 
a fly from one location to another and you 

have changed the combination. Physically, the 
mechanism can be built out of whatever materials 
would best suit your purpose, but the prototypes 
are all brass. 


As described, the lock is excellent, but the real 
beauty lies in the automated dialer that gives 
the RoboKey its name. 


AT FIRST GLANCE THE RKS LOOKS LIKE A DISC DETAINER LOCK, BUT 
ASIDE FROM THE FORM FACTOR AND THE GENERAL APPEARANCE, IT 
IS NOTHING LIKE ONE. THE BASIC OPERATION IS THAT OF A SAFE LOCK. 


The concept behind the dialer is simple, a small motor quickly drives the wheels left and right the 
appropriate number of times and distances to enter the combination. The automatic dialer negates the 
need for a user to know a code to open the lock; you simply have to be an authorized user in possession 
of a dialer. This separation of mechanical and electronic elements adds a future-proof characteristic to the 
lock. No matter how you change the dialer, the actual lock will remain the same, allowing you to take 
advantage of any new technological developments that could further improve the dialer system, without 
ever having to update the installed base of locks. The system perpetually and conveniently, evolves. With 
the theme of utilizing emergent technology, there are already many potential ways in which you could 
provide authorization. It could be something as simple as a matched pair, one dialer for one lock with a 
set combination, to something as complex a secure GPS co-ordinate to which the dialer must be delivered 
to before it unlocks the combination. There are biometric and RFID solutions that can be easily incorporated, 
all the way to the potential of dialer integration with a cell phone. The range of possibilities Bob and John 
saw in front of them inspired a big decision. 


: 


After the Dutch Open, John attended ALOA with The concept is simple - the shackle of a padlock 
Barry and Han to demonstrate the RKS and another should not be the weakest link in the, literal, 
concept their company had developed, the Omni- chain. The Omni-Link is a hockey-puck style 
Link. While there, The National Locksmith featured coupling for attaching the ends of a length of 
the RKS in an article, drumming up some early chain to one another. By shielding the shackle 
interest for the company. Stanton Concepts is of your padlock it neutralizes the most common 


actively seeking a licensing deal for their mechanical | attack point for chain-based security. 
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lock technology, however, while they work on that, they wanted to get the dialer out into the wild and see 
what people could do with it. 


“We believe in this product. We're both mechanical engineers, and we've hit lands edge 
and can only take it as far as we've taken it. Making it Open Source really brings in a lot 


of people that are interested in it and let’s them take it so much further. They can identify 
any problems and collaborate on a huge scale, where we've kind of hit our limit.” 


This gives the hobbyist the opportunity to modify their Auto Dialer to interact with the Loughlins’ 
mechanical lock in any way they see fit without need for a license. The RKS can be a great toy for an 
enthusiast, an immediately practical addition to a security solution, or the keystone in demonstrating a 
new authentication scheme. The mechanics are easy; you just have to drive the motor clockwise and counter- 
clockwise. The programming is done via a PIC card and the rest is authentication. Stanton Concepts is 
currently selling the serialized cylinders with manual dialers and will be rolling out the standard version 
of their auto-dialers late this year. Expect the price tag for the whole developer package to come in at 
approximately $300 (USD). When a licensing deal moves forward and the cylinders can be mass produced, 
cost should go down dramatically from that price point. 


The developers have always had their ear to the ground for input from the locksport community, they 


continue to welcome comment and feedback. You can contact John via email at: john@stantonconcepts.us 


Ed. Note: Photographs featuring the internal parts of the RKS and more information on programming the 
dialer will be out with the full issue not long after DEFCON. Stay tuned! 


Encouragement 


BY AMY BREWERTON 


Hi. I’m Amy (Mike’s kid) and I’m ten years old. My dad taught me how to pick a lock when | was eight. The 
first time | picked a lock | got so angry because | thought | couldn’t do it and I jammed the pick in and out 
of the lock. And guess what? It opened! Since then, | have gotten better at picking locks. 

If | can pick a lock, you can too. So, if at first you don’t succeed, try, try again. 


Oh, and now I even have my own lockpick set. 
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Tiger Team: 
The Continuing Adventures 


BY MITCH CAPPER 


It’s late on a spring day, at a well known banking facility in the southwest United States. We are here to 
break in, something odd as there is no real cash here. Although there may be no cash, the computers are 
the real prize in this modern bank. While you may think it would take years of planning to pull off a 
massive bank heist, it’s just another week on the job for us. Don’t get me wrong, it’s certainly a secure 
facility. We’re well aware of that, as we have been scoping the place for over a week. | have with me 

a junior engineer in our security company to help assist with this entry. It isn’t uncommon to work in 
teams; however with it being just myself and my junior associate it’s going to be a long day. After evaluating 
the possible entry points, we decided the best approach is to use a key. Picking is certainly useful and is by 
no means something we shy away from, but the cylinders on this place are high security to say the least. 
Of course, as anyone knows, making a key appear from thin air is no easy feat. We could have tried to steal 
an employee’s key, but if they caught us doing it or alerted maintenance of a missing key our game is over. 
Duplicating a key is another option; we have our custom clamshell kits and some pretty slick methods, 
but had yet to identify a good vulnerable target. We needed to get in soon, but didn’t want to take unnec- 
essary risks. Having never been caught, this was no time to start. Finally we settled on the fireman’s box, 
which is protected in a way to discourage you from even looking at it. 


. We managed to get into it through a few 

We are here to break ff... tricks, probably breaking a few laws in the 
process. We had permission from the company 

to conduct our tests, but if we get caught at this point that may not be enough to save us. The fireman’s 
box gave us keys to the building and the elevators, using our newfound keys we made our way to a hiding 
spot. The first three floors of the place are basically solid concrete, and thus it’s not just getting in the door 
but somewhere safe. We have to remain calm as we go past security and the employees; | have been doing 
this for over a decade but it never gets any easier. Finally it is 4:45 pm, just prior to closing. Our hiding 
place is located several floors up on a floor under construction. 


This was our new home for the next few hours, hiding to make sure no one found us, as it would be hard 
to explain being around there. We listen to the cleaning crews make their rounds and after several hours it 
is time for us to make our move. We have one target and that’s the datacenter in the building. There is just 
one catch, it’s on the ninth floor and there is only one way up. None of the elevators or main stairwells goes 
to it. It can only be reached through one stairwell, located in the center of the building. 


Once onto the ninth floor it was like a graveyard. They took their closing time very seriously and there 
was no one in sight. | guess that’s why them call them Banker’s hours. Massive glass doors were visible in 
front of us, with a nice lock and security plate staring us in the face. We could try to jimmy the lock with 
a few custom tools to bypass the security plate, but it was fairly long. Upon trying to figure out the best 
way through the doors, we noticed that the security plate over the door was installed backwards, with the 
Philips screws facing us. Sometimes the easiest way isn’t immediately apparent, but now we had found it. 
We took out a screwdriver and made short work of the security plate. Now all that was left was the 
classic credit card trick to get through the glass doors. 


We are in and can practically taste success. Once you have physical access to a server, real protection is 
nearly impossible. We dump the domain into Rainbow Crack and get the accounts we need. As we 
approach the finish line | feel my phone start to vibrate. | look at the phone and its one of my partners in 
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our company. | figure we aren’t in much risk and I'd like to gloat about our recent accomplishment with 
the bank. | answer the phone and before | get a word in | hear “Dude, guess where we are?” It is actually 
two of my partners and they have beat me to the punch for gloating today. They are located 60 feet above 
an international airport with full control of the phones, computers and ventilation, and its now Sunday 
mid-day. Not to be outdone, | point out that we also were successful and currently have full control of a 
room in charge of hundreds of millions of dollars of live transfers. We quietly escape out of the bank and 
enjoy the rest of the Sunday afternoon. 


The only thing more outrageous than this work of fiction is the fact that it is actually a true story, straight 
out of an interview with the guys at Alternative Technology. You may know them better from their TV 
special on Christmas: The Tiger Team, which brought in one of the largest openings of any True/Court TV 
show to date. It was Luke and a junior associate from AltTech that were in charge of the bank job. Other 
than on the TV show it is not frequent that Luke, Chris, and Ryan get to work the same site together. They 
are certainly not out of contact though, as Chris and Ryan were the ones to call Luke to talk about their 
airport penetration test. These aren't old tales either. It all occurred only a year or so ago, well within 

the era of post 9/11 heightened security. Even airport security wasn’t an issue, upon DHS (Department of 
Homeland Security) questioning them as to what they were up to, they simply responded “A security 
assessment” and were on their way. The officer didn’t ask for ID nor did he check with his superiors, all 
too often people are your weakest link. Once Chris and Ryan had control, they collected the data needed to 
make their report. Sometimes it’s hard not to have a little fun, and might have changed a gate display to 
offer a salutation to Chris, and then made their call to Luke. Once Luke reported his millions were under 
control they jokingly talked about stealing a plane and heading to Cuba. AltTech has a multi-million dollar 
policy on each one of them, and sorry, no internships are available. 


Alternative Technology is always hired by the people who control the facilities they will be testing. Don’t 
think everyone is in on it though, other than the absolute minimum staff necessary, no one is informed 
about what they are doing. They do things as realistically as they can and that includes keeping as many 
people as possible in the dark during the test. There are several governing agencies at work at any one 
airport: TSA, FAA, DHS, and the governing body in charge of the physical aspects of the airport, the Airport 
Authority. It is the AA who hired AltTech to perform their tests and only a select few knew about it. Their 
job is not all fun and danger however, for every job there is a very thorough and detailed report and follow 
up (something not really shown on their TV special). A company who never gets caught and always gets 
the job done is a rarity in this industry. 


The guys at AltTech were kind enough to take the time for our interview and | would like to thank them 
for that. For those looking for more of Luke, Chris, and Ryan you may be able to catch them on TV again 
sometime soon (even though Tiger Team was a onetime showing). In addition, some of the members enjoy 
hanging around the Locksport community so keep your eyes open. 
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